Faster Algorithms for Isogeny Problems using Torsion Point Images

Transcription

1 Faster Algorithms for Isogeny Problems using Torsion Point Images Christophe Petit School of Computer Science, University of Birmingham Abstract. There is a recent trend in cryptography to construct protocols based on the hardness of computing isogenies between supersingular elliptic curves. Two prominent examples are Jao-De Feo s key exchange protocol and the resulting encryption scheme by De Feo-Jao-Plût. One particularity of the isogeny problems underlying these protocols is that some additional information is given as input, namely the image of some torsion points with order coprime to the isogeny. This additional information was used in several active attacks against the protocols but the current best passive attacks make no use of it at all. In this paper, we provide new algorithms that exploit the additional information provided in isogeny protocols to speed up the resolution of the underlying problems. Our techniques lead to heuristic polynomial-time key recovery on two nonstandard variants of De Feo-Jao-Plût s protocols in plausible attack models. This shows that at least some isogeny problems are easier to solve when additional information is leaked. Introduction Following calls from major national security and standardization agencies, the next cryptographic standards will have to be post-quantum secure, namely they will have to rely on computational problems that will (at least to the best of our knowledge) remain hard for quantum computers. Several directions are currently explored for postquantum cryptography, including lattice-based cryptography, code-based cryptography, multivariate cryptography, hash-based cryptography and most recently cryptography based on isogeny problems. The latter are appealing for their mathematical elegance but also for the relatively small key sizes compared to other post-quantum candidates. The interest in isogeny problems as potential cryptographic building blocks is relatively new, and there has therefore not been much cryptanalytic work on them. The most established isogeny problem is the endomorphism ring computation problem, which was already considered by Kohel in his PhD thesis [2]. In the supersingular case this problem is (heuristically at least) equivalent to the problem of computing an isogeny between two randomly chosen curves [6], and it remains exponential time even for quantum algorithms today. The supersingular key exchange protocol of Jao-De Feo [] and the encryption scheme and signature schemes that are derived from it [7,9,25] rely on variants of these problems, where special primes and relatively small degree isogenies are used. More importantly for this paper, the attacker is also provided with the image by the isogeny of a large torsion group, in addition to the origin and image curves. Although it was

2 observed that this additional information could a priori make the problems easier, all security evaluations against passive attacks were based on a meet-in-the-middle strategy that makes no use at all of it.. Contributions In this paper, we study the impact of revealing the images of torsion points on the hardness of isogeny problems. We provide new techniques to successively exploit this additional information and improve on the best previous attacks, namely meet-in-the-middle attacks (see Section 2). Among other results, these techniques lead to polynomial-time algorithms to compute isogenies between two curves E 0 and E assuming. Some non scalar endomorphisms of E 0 are known and/or are of small degree. 2. The images of N 2 torsion points are revealed, where N 2 is significantly larger than the degree of the isogeny N. So far our techniques do not invalidate the parameters proposed in the original protocol (where N N 2 ). However, we describe two natural variants, which we call unbalanced variant and optimal degree variant, which can be attacked by our methods in plausible attack scenarios. We believe these generalizations are of independent interest, as they have some advantages over the original protocol when appropriate parameters are chosen. Our main contribution in this paper is our new attack techniques. We illustrate their potential with the following results:. (Section 3.) A nearly square root speedup on the problem of computing an endomorphism of a supersingular elliptic curve of a certain degree, when provided with some torsion point images through this endomorphism. 2. (Section 4.4.) A polynomial time key recovery attack on our optimal degree variant, provided N 2 > N 4 and E 0 is special (such special curves were suggested in previous implementations [4, 7] for efficiency reasons). 3. (Section 4.5.) A polynomial time key recovery attack on both variants, provided log N 2 = O(log 2 N ) and E 0 has a small degree non scalar endomorphism. These attacks show that (at least some) isogeny problems are easier to solve when the images of torsion points through the isogeny are revealed. Some of these attacks require further assumptions on N 2 ; we refer to the next sections for details. We provide a heuristic analysis for all these attacks. The heuristics used involve factorization patterns and other properties of integers of particular forms appearing in our algorithms, which we treat as random numbers of the same size. For the first two attacks these heuristics are very plausible, and we believe that they can either be proved or made unnecessary (though any of those options would require significant work). For the third attack they are still a priori plausible, but they may be very hard to prove or remove. Indeed the attack involves a recursive step, and a rigorous result would have to take into account correlations between successive steps. For this reason we additionally provide some experimental support for our third attack. 2

3 We believe the three attacks we develop here are only some examples of what our new techniques can achieve, and we leave further developments to further work..2 Background Reading We refer to the books of Silverman [9] and Vignéras [22] for background results on elliptic curves and quaternion algebras. Recent cryptographic constructions based on isogeny problems include [2, 7, 9,, 8, 24]. Computational aspects related to isogenies are covered in David Kohel s PhD thesis [2] and more recently in [8, 9]..3 Complexity Model Unless otherwise stated all complexity estimations in this paper use elementary bitwise operations as units. We use the standard big O notation to describe asymptotic complexities of algorithms. Recall that for any two functions f, g : N Z + we have f = O(g) if and only if there exists N N and c Z + such that g(n) cf(n) for any n N. We also use the big O tilde notation to hide any polylogarithmic factors in our complexity statements: namely for any two functions f, g : N Z + we have f = Õ(g) when there exists d Z + such that f = O(g log d g). The security levels of the protocols studied in this paper are functions of one or several security parameters. When we refer to polynomial time complexity we mean complexity O(f), where f is a polynomial function of these security parameters..4 Outline In Section 2 we first describe the supersingular key exchange protocol of Jao-De Feo [] and our two variants of this protocol, then we recall the most relevant cryptanalysis results on it. In Section 3 we describe faster algorithms to compute an endomorphism of a given supersingular elliptic curve, given the image of torsion points by this endomorphism. In Section 4 we turn to the problem of computing an isogeny between two supersingular elliptic curves given the images of torsion points by this isogeny, and we describe two attacks faster than the state-of-the-art meet-in-the-middle algorithm in this context. Finally, we summarize the impact of our techniques and results in Section 5, and we give perspectives for further work. 2 Supersingular Isogeny Key Exchange 2. Jao-De Feo s Key Exchange We recall the supersingular key exchange protocol of Jao-De Feo []. Setup. Let l, l 2 be two small primes. Given a security parameter λ, let e, e 2 be the smallest integers such that l e, le λ (or 2 3λ for post-quantum security). Let f be the smallest integer such that p = l e le2 2 f is prime. Let E 0 be a supersingular elliptic curve over F p 2. Let P, Q and P 2, Q 2 be respectively bases of the l e and le2 2 torsions on E 0. 3

4 First round. Alice chooses a random cyclic subgroup of order l e, say G = α P + β Q with at least one of α, β coprime to l. She computes the corresponding isogeny φ and image curve E, as well as φ (P 2 ) and φ (Q 2 ). She sends E, φ (P 2 ) and φ (Q 2 ) to Bob. Bob proceeds similarly, permuting the roles of l and l 2. Second round. Upon receiving E 2, φ 2 (P ) and φ 2 (Q ), Alice computes G = α φ 2 (P )+ β φ 2 (Q ), the corresponding isogeny φ, the image curve E 2 = E/ G, G 2 and its j-invariant j 2. Bob computes j 2 = j 2 similarly with the information sent by Alice. The shared secret is the value j 2 = j 2, or the result of applying some key derivation function to this value. The protocol is summarized in the following commutative diagram: φ E = E 0 /G E 0 E 2 = E 0 / G, G 2 φ 2 E 2 = E 0 /G 2 This protocol can be broken if one can compute isogenies between two given curves. However we stress that the curves appearing in this protocol are closer to each other in the isogeny graphs than random curves would be: indeed for any fixed E 0 there are only (l i + )l ei i p possible curves for E, while there are roughly p/2 supersingular j-invariants over F p 2. This allows more efficient meet-in-the-middle attacks in complexity Õ( 4 p) instead of Õ( p) for a generic curve pair. More importantly for this paper, some information on the isogenies is leaked by the protocol, as the image of a full torsion coprime with the isogeny degree is revealed. Finally, special primes are used to ensure that the l ei i torsions are defined over F p 2. For arbitrary p these torsions subgroups would be defined over large field extensions, resulting in an inefficient protocol. Remark. Let N = l e. If the image of the N torsion by a degree N isogeny was revealed it would be straightforward to recompute the isogeny, as this image would be the kernel of the dual isogeny. More generally if N is not coprime with the degree then part of the isogeny can be recovered efficiently. 2.2 Unbalanced and Optimal Degree Variants We now present two variants of the protocol, which we call unbalanced and optimal degree variants. Unbalanced variant. In their paper Jao and De Feo suggested parameters such that l e le2 2. We suggest to generalize the setup to allow for unbalanced parameters le2 2 l e in some contexts. The size of lei i determines the security of the corresponding secret key G i with respect to all previous attacks (see next subsection), while the size of p 4

5 would influence efficiency. Jao and De Feo therefore chose l e l e2 2 to provide the same security level on both Alice and Bob s ephemeral keys. However in some contexts as in the public key encryption scheme [7] one secret key is static and it may therefore make sense to protect it more strongly. This is achieved by our unbalanced variant. In the unbalanced variant, the setup procedure takes two security parameters λ and λ 2 as input. For i =, 2 it computes the smallest integer e i such that l ei i, 22λi (or 2 3λi for post-quantum security), and then the smallest integer f such that p = l e le2 is prime. The rest of the protocol is as in Jao and De Feo. 2 f Optimal degree variant. We now generalize the parameters such that the isogeny degrees are large enough to ensure uniform distribution of E i among all curves on the isogeny graphs: we call the resultant protocol optimal degree variant for this reason. In addition, this variant allows for arbitrary primes p rather than the very special primes used by Jao and De Feo. We recall that a number N = p ei i is B-powersmooth if for all i we have p ei i < B. In this paper we say that a number is powersmooth if it is B-powersmooth for some bound B that is polynomial in the security parameter. For an arbitrary prime p, we replace l e and le2 2 in the protocol by any powersmooth numbers N and N 2 that are coprime to each other and of size about p 2. Note that the N and N 2 torsions are a priori not defined over F p 2; however the powersmooth requirement ensures that they can be efficiently represented in a Chinese remainder manner (see [9]). On the other hand, the coprimality requirement ensures that the isogeny diagram commutes as in the original protocol. Finally, the condition N i p 2 on the isogeny degrees guarantees that E and E 2 are close to uniformly distributed [9], while for the original parameters and the unbalanced variant above we have N N 2 p. In the optimal degree variant, the setup procedure takes a security parameter λ. It chooses a random prime p with 2λ bits (or 3λ bits for post-quantum security). Then N and N 2 are chosen coprime to each other, such that both of them are powersmooth and have at least 2 log p bits. Then for each maximal prime power l ej j dividing either N or N 2 we fix a basis for the l ej j torsion. Note that this is defined over an extension field of degree at most 2l ej j, which has a size polynomial in λ. If N = p ej j then in the first round Alice chooses for each j one cyclic subgroup G j = α j P j + β j Q j with at least one of α j, β j coprime to p j. This implicitly defines a cyclic subgroup G of order N such that G = G j mod E 0 [l ej j ]. She computes the corresponding isogeny φ as a composition of isogenies of prime degrees, the image curve E = E 0 /G, and the image by φ of the l ej j torsion basis points, for each l ej j dividing N 2. Alice sends E and all torsion point images to Bob. Note that although the torsion points and their images are defined over some field extensions, all isogenies computed are defined over F p 2. Moreover the degree of any extension field involved is bounded by 2l ej j which is polynomial in the security parameter, so all elements can be efficiently represented and the computation runs in polynomial time. Bob proceeds similarly. In the second round, Alice computes φ 2 (G j ) using the information sent by the other party (as in the original protocol), then she computes E 2 /φ 2 (G ) as above, and finally the j-invariant of this curve. Bob proceeds similarly. 5

6 A first implementation of this variant is given in [3]. Because it allows both for arbitrary primes and for large enough degree isogenies, the optimal degree variant can a priori be more secure than the original protocol. On the other hand, working over field extensions, even of moderate degrees, has a significant efficiency cost in practice. We leave a precise complexity estimation and a thorough comparison of this variant with the original protocol to further work. Remark. Of course, one could also allow intermediate parameters where gcd(n N 2, (p+ ) 2 ) is a medium size factor of (p + ) 2 to ensure that the primes are not too special and at the same limit the size of the extension fields needed. 2.3 State-of-the Art on Cryptanalysis We refer to [9] for a thorough discussion of existing cryptanalysis results, and only describe the most relevant work for this paper. With the exception of active attacks in [8, 0, 2], previous cryptanalysis results have ignored the additional information revealed in De Feo-Jao-Plût s protocols. They therefore considered the following problem: Problem Let N be a positive integer, let p be a prime and let E, E 2 be two supersingular elliptic curves defined over F p 2, such that there exists an isogeny φ of degree N such that E 2 = E / ker φ. Compute φ. Remark. The most natural representation of φ is some canonical representation as two elements of the function field E (x, y). In cryptographic contexts the degree of φ is of exponential size so this representation is not efficient. However in these contexts the degree is often a smooth number so that the isogeny can be efficiently returned as a composition of rational maps. When N is large enough any pair of elliptic curves are connected by an isogeny of degree N, and this problem is heuristically equivalent to the endomorphism ring computation problem [6]. In De Feo-Jao-Plût s protocols, however, N = O( p) is too small to ensure this, and as N is moreover smooth one can do a meet-in-the-middle attack with complexity Õ( 4 p) (respectively Õ( 6 p) with a quantum computer) even if the endomorphism ring computation problem remains of complexity Õ( p) (respectively Õ( 3 p) with a quantum computer). We stress that the optimal degree variant we introduced above does not suffer from this problem, as the isogeny degrees are chosen large enough to ensure a uniform distribution of E 2. The following lemma generalizes the meet-in-the-middle strategy when the smoothness bound on N is not polynomial in log p. Lemma. Assume N = N N 2 where both N and N 2 are B-smooth. Then the meet-in-the-middle strategy has a time and memory complexity Õ(B max(n, N 2 )), neglecting log factors. PROOF: The factorization of N can be obtained in subexponential time, which is negligible with respect to max(n, N 2 ). Isogenies of prime degree can be computed in 6

7 quasilinear time in the degree. The meet-in-the-middle strategy computes O(N ) isogenies of degree N and O(N 2 ) isogenies of degree N 2, each of them as a composition of isogenies of degrees at most B. The active attack presented in [8] runs O(log p) executions of the key exchange protocol with the same party. Assuming this party uses a static secret key G, the attacker provides them with incorrect values for φ 2 (P ), φ 2 (Q ), observes variations in the resulting shared key j(e 2 ), and progressively deduces the key G. The loop-abort fault attack developed in [0] is similar to this attack. A fault attack is also used in [2] to replace φ 2 (P ) and φ 2 (Q ) by points whose order is not coprime with the isogeny degree. Our goal in this paper is to show how to exploit the torsion image information revealed in De Feo-Jao-Plût s protocols but using only passive attacks, namely for normal executions of the protocols. 3 Computing an Endomorphism from Additional Information From a computational number theory point of view, computing endomorphisms of a curve is a somewhat more natural task than computing isogenies between two curves. At the same time, there are strong relations between the two problems (see [9, 6]). In this section we define an endomorphism computation counterpart to De Feo-Jao- Plût s isogeny problem, and we show how leaking the image of torsion points helps in solving this problem. 3. Endomorphism Computation Problem with Additional Information We consider the following problem: Problem 2 Let p be a prime and let E be a supersingular elliptic curve defined over F p 2. Let φ be a non scalar endomorphism of E with smooth degree N. Let N 2 be a smooth integer with gcd(n, N 2 ) =, and let P, Q be a basis of E[N 2 ]. Let R be a subring of End(E) that is either easy to compute, or given. Given E, P, Q, φ(p ), φ(q), deg φ, R, compute φ. Remark. This problem is similar to the problem appearing in De Feo-Jao-Plût protocols, with the additional requirement E = E 2. Remark. When no endomorphism subring is explicitly given one can take for R the subring of scalar multiplications, which we will denote R = Z. Remark. If we do not use the additional information the best algorithm for this problem will be a meet-in-the-middle approach: compute all isogenies of degree approximately N from E and search for a collision. As N is smooth the cost for each isogeny is polynomial, resulting in an algorithm with roughly Õ( N ) complexity. 7

8 Algorithm Computing an Endomorphism from Additional Information Require: As in Problem 2, plus parameter B. Ensure: A description of φ as a composition of low degree maps. : Find N N and θ, θ 2 R such that deg(θ φ + θ 2) = N N 2 and gcd(deg θ, N ) =, and such that N is B-smooth and as small as possible. 2: Compute ker ψ N2 using the additional information, where θ φ + θ 2 = ψ N ψ N2 and ψ N, ψ N2 are respectively of degrees N and N 2. 3: Compute ψ N using a meet-in-the-middle approach. 4: Compute ker φ = ker(θ (ψ N ψn 2 θ 2)) by evaluating all maps on the N torsion. 5: Compute φ from ker φ. 3.2 General Strategy Our general strategy is summarized in Algorithm. From what is given in the problem we can compute the image of φ on any point in E[N 2 ]. Let θ, θ 2 R be known endomorphisms of E, to which we associate another endomorphism ψ := θ φ + θ 2. Of course we do not know φ so far, but since we know θ, θ 2, and the action of φ on E[N 2 ] we can nevertheless evaluate ψ on any point of E[N 2 ]. Let us now assume that the maps θ, θ 2 are chosen such that deg ψ = N N 2 for some N Z. An algorithm to achieve that together with an additional smoothness condition on N will be described in the next subsection for the case R = Z. The endomorphism ψ can then be written as a composition of two isogenies ψ = ψ N ψ N2 with ψ N and ψ N2 respectively of degrees N and N 2. By computing ψ on a basis of E[N 2 ] and solving some discrete logarithm problems in E[N 2 ] we deduce the kernel of ψ N2 and then deduce ψ N2 itself. This is efficient since N 2 is smooth by assumption. At this point, the map ψ N is an isogeny of degree N between two known j- invariants, namely the curve image of ψ N2 and the original curve E. We recover this isogeny using the meet-in-the-middle approach analyzed in Lemma. The efficiency of this step depends on the factorization of N. At this point, we have computed the map ψ as a composition ψ = ψ N ψ N2. We deduce an expression for φ, namely θ (ψ N ψ N 2 θ 2 ), and assuming gcd(deg θ, N ) = we evaluate this map on the N torsion to identify ker φ, from which we recompute a more canonical description of φ. This is efficient as N is smooth. Remark. We do not use the additional information to compute ψ N. Note that part of the N 2 torsion is annihilated by ψ N2, so we only know ψ N and its dual on one cyclic subgroup of the respective N 2 torsions. 8

9 Remark. There is no gain in generality in considering maps of the form ψ := θ φθ 3 +θ 2 for θ, θ 2, θ 3 R. Indeed we have θ φθ 3 + θ 2 = ˆφˆθ θ 3 + θ 2 + Tr(θ φ)θ 3. Taking conjugates we obtain an element ˆψ = ˆθ 3 θ φ + ˆθ 2 + Tr(θ φ)ˆθ 3 Rφ + R with the same norm. Similarly, there is no gain in generality in using powers of φ since φ 2 = (Tr φ)φ deg φ. 3.3 Attack when R = Z We first consider the most generic case where the only known endomorphisms of E are scalar multiplications. We define for a, b Z, which has degree deg ψ a,b = a 2 deg φ + b 2 + ab Tr φ = ψ = ψ a,b = aφ + b ( b + a Tr φ ) ( 2 + a 2 deg φ 2 ( ) ) 2 Tr φ. 2 Our goal is to find a, b such that deg ψ a,b = N N 2, where N is as small and as smooth as possible. Parameter Restriction. The attack we describe below requires two assumptions on the parameters.. We require N 2 > 2 N. 2. We also require that D is a square modulo N 2, where D = deg φ ( ) Tr(φ) 2. 2 Note that in the Jao-De Feo key exchange protocol we have N 2 N so the first assumption does not look too strong. By Hensel s lifting lemma the second condition is equivalent to D being a square modulo every odd prime factor of N 2 and congruent to modulo 8 when 2 divides N 2. If we consider the endomorphism φ as fixed, this condition restricts N 2 values as follows: If N 2 = l e is a prime power (as for Jao-De Feo s parameters and the unbalanced variant), the second condition is satisfied if and only if D is a quadratic residue modulo l, and heuristically we expect this to occur for half of the primes l. In our optimal degree variant, N 2 is a powersmooth number whose prime factors will be as small as possible. We can heuristically expect that about one half of these prime factors l i will be such that D is a quadratic residue modulo l i. There will therefore exist a factor N 2 of N 2 such that N 2 N 2 and D is a quadratic residue modulo N 2. Moreover if N 2 N or bigger, we can use N 2 in the attack instead of N 2, and still satisfy the first condition. This suggests that the conditions above are relatively mild, in the sense that they are satisfied for a large set of parameters with the expected forms. In the remaining of this section we assume that both conditions above are satisfied. 9

10 Algorithm. Remember that from the additional information given in the problem we can compute the image of φ on any point in E[N 2 ]. Note that since N and N 2 are coprime, φ is a one-to-one map on E[N 2 ]. From the relation φ ˆφ = [deg φ] we can also compute the image of any point in E[N 2 ] by the dual map ˆφ. We can therefore also evaluate Tr(φ) on E[N 2 ]. By solving a discrete logarithm problem in E[N 2 ] we deduce Tr(φ) mod N 2. By the Cauchy-Schwarz inequality we also have Tr(φ) 2 deg φ so under our first parameter restriction that N 2 > 2 N we actually recover Tr(φ) exactly. Let D = deg φ 4 (Tr(φ))2 and let τ such that τ 2 = D mod N 2. Such a τ exists under our second parameter restriction, and can be efficiently computed using Tonelli- Shanks algorithm and Hensel s lifting lemma. Points (x, y) in the lattice generated by the two vectors (N 2, 0) and (τ, ) correspond to solutions of the equation x 2 + Dy 2 = 0 mod N 2. We compute a reduced basis for the lattice, with respect to a weighted inner product norm where the second component is weighted by D. This can be done in polynomial time. Finally we let a := y 0, b = x 0 Tr(φ) 2 y 0 and N = x2 0 +Dy2 0 N 2, where (x 0, y 0 ) is a well-chosen short vector in the lattice. To choose (x 0, y 0 ) we proceed as follows. Using the short basis computed above we generate short vectors and compute the corresponding N values, until we obtain N such that the meet-in-the-middle strategy is efficient enough (see Lemma ). Complexity analysis. We first analyze the expected norms of minimal lattice vectors. Lemma 2. Under plausible heuristic assumptions, the shortest vectors in the lattice have norm N N 2 where N N. PROOF: Heuristically, a proportion about /N 2 pairs (x, y) will satisfy the congruence x 2 + Dy 2 = 0 mod N 2 so we expect xy N 2. We can also expect that minimal vectors (x, y) in the lattice have their coefficients balanced such that x 2 Dy 2 N N 2. (If N2 2 < D then the smallest element will of course be (N 2, 0), however by our parameter restriction we have D N < N2 2.) Combining all these approximations gives (N N 2 ) 2 x 2 Dy 2 = D(xy) 2 DN2 2, hence N D N. By construction any lattice vector will have a norm divisible by N 2. In our algorithm we generate random short vectors until the cofactor N is smooth enough. To estimate the number of random trials needed, we (heuristically) approximate the smoothness probability of N by the smoothness probability of a random number of the same size. For any positive integers X, Y, let π(x, Y ) be the proportion of integers smaller than X that are Y -smooth. For any positive integer X and any 0 α, let L X (α) = exp (log X)α (log log X) α be the subexponential function. We recall the following wellknown fact [7]: Lemma 3. For any 0 α and any large enough X, we have π(x, L X (α)) (L X ( α)). We deduce the following result: Proposition. Subject to the above parameter restrictions and under plausible heuristic assumptions, Problem 2 can be solved in time O(N /4+ɛ ) for any ɛ > 0. 0

11 PROOF: The algorithm and heuristic assumptions required have been described earlier in this section. The cost of the algorithm depends mostly on the smoothness bound required on lattice vectors, which decides both the cost of finding a suitable vector and the meet-in-the-middle cost needed to compute ψ N. Using a smoothness bound L N (α) for any 0 < α <, the cost of finding a suitable vector in the lattice is bounded by (L N ( α)) << O(N /4+ɛ ), and the meet-inthe-middle computation has a cost Õ(N L N (α)) = O(N /4+ɛ ) by Lemma. /4 By exploiting the images of torsion points, our algorithm provides a near-square root speedup for Problem 2 over the previous state-of-the-art algorithm. Improvement when gcd(d, N 2 ). For any r gcd(d, N 2 ) there exist a, b Z with (aφ + b)/r End(E) and r gcd(a, b). Moreover we can normalize pairs of this form such that a =. We can identify the corresponding correct b by trying every possibility until φ + b annihilates the r torsion. This has a cost O(r). Alternatively we can solve some discrete logarithm problems to find b in at most O( r) operations. In any case since N 2 is smooth we can process small factors one at the time, and efficiently deduce φ r Z[, φ] End(E), with a new D value D = D/ gcd(d, N 2 ). Moreover we can evaluate φ on the N 2 / gcd(d, N 2 ) torsion. Following the analysis above, we expect that this will reduce the complexity by a factor gcd(d, N 2 ). 3.4 Variants and Extensions We could consider variants of Problem 2 where information is given on several endomorphisms of a single curve, and develop similar attacks. A particular case of interest is the case of subfield curves, namely curves defined over F p, when we can use R = Z + π p Z where π p : (x, y) (x p, y p ). Remark. When E is defined over F p one can compute the full endomorphism ring in expected time Õ(p/4 ) using the techniques of Delfs and Galbraith [6]. Under the (reasonable) parameter restriction that N 2 > 2 N we can compute Tr φ as above, and substitute φ by φ = φ Tr φ 2 in the problem so that Tr φ = 0. Let := deg φ = N 4 (Tr φ)2. We can consider an endomorphism of the form with degree ψ = (aφ + b)π p + cφ + d, deg ψ = (a 2 + b 2 )p + (c 2 + d 2 ) + Tr ((aφ + b)π p ( cφ + d)) = (a 2 + b 2 )p + (c 2 + d 2 ) + (ad bc) Tr(φ π p ). If N 2 > 2 N p we can evaluate Tr(π p φ ). We are then left with finding a, b, c, d, N Z such that deg ψ = N N 2 and moreover N is both small and smooth such that the meet-in-the-middle strategy (Lemma ) is efficient. Note that for the minimal solution we expect a 2 pn b 2 N c 2 p d 2 N N 2 and abcd N 2, hence d 4 N 2 N p and N N /2 p /2 N /2 2. This means that if N 2 N p we can expect a solution with N = O().

12 Remark. The discussion in this section provides a reduction from an isogeny problem to a Diophantine equation problem, arguably a step forward in the cryptanalysis. We leave the construction of an efficient (classical or quantum) algorithm to solve this Diophantine equation to further work. Remark. Efficient solutions for quaternary quadratic form equations exist over the rationals [5, 20]; however we are not aware of any efficient algorithm that would return integer solutions. 4 Attacks on (Variants of) the Key Exchange Protocol We now turn to isogeny problems with additional information, as in De Feo-Jao-Plût s protocols. 4. Problem Statement In this section we consider the following problem. Problem 3 Let p be a prime. Let N, N 2 Z be coprime. Let E 0 be a supersingular elliptic curve over F p 2. Let φ : E 0 E be an isogeny of degree N. Let R 0, R be subrings of End(E 0 ), End(E ) respectively. Given N, E, R 0, R and the image of φ on the whole N 2 torsion, compute φ. Remark. The most generic case for this problem is R 0 = R = Z, namely only the scalar multiplications are known (and do not need to be explicitly given). If E 0 is defined over F p we can take R 0 = Z[π p ] where π p is the Frobenius. In some previous implementation works [4, 7] it was suggested for efficiency reasons to use special curves in the key exchange protocol, such as a curve with j-invariant j = 728. In this case we have R 0 = End(E 0 ), and moreover R 0 contains some non scalar elements of small degrees. 4.2 Attack Model and General Strategy We provide algorithms that use the additional information provided by the image of torsion points to solve Problem 3 with dramatic speedups compared to the basic meetin-the-middle strategy. All our attacks assume that the subring of endomorphisms R 0 contains more than the scalar multiplications. They are particularly efficient when special curves E 0 are used, such as in [4, 7]. Another current limitation of our attacks is that they require N 2 significantly larger than N. This condition could plausibly be met in practice (should this paper not have warned against them!) in the following scenarios: In the unbalanced variant of the original protocol. We recall that this variant could a priori have been used when one party uses a static key and the other party uses an ephemeral key, as is the case for example in the public key encryption scheme. 2

13 In the optimal degree variant of the protocol, a server might have used a static key and published the images of a very large torsion group E 0 [N 2 ], for example to allow connections with a wide range of clients using different sets of parameters. Our basic strategy is as follows. For any known endomorphism θ End(E 0 ) we can consider the endomorphism φ = φ θ ˆφ End(E ). Moreover if θ is non scalar then φ is also non scalar. Using our knowledge of how φ acts on the N 2 torsion we can also evaluate φ on the N 2 torsion, and hence apply the techniques from the previous section. Once we have an expression for φ we can use it to evaluate φ θ ˆφ on the N torsion. Since N is smooth an easy discrete logarithm computation gives generators for ker(φ θ ˆφ ) E [N ]. The latest group contains ker ˆφ as a cyclic subgroup of order N. When it is cyclic we directly recover ker ˆφ and deduce φ ; in Section 4.3 below we show how to do it in the general case. Remark. Our resolution strategy requires that R 0 contains more than the scalar multiplications, as otherwise φ is just a scalar multiplication. In Sections 4.4 and 4.5 below we give two examples of attacks that can be developed using our techniques. The first attack assumes that E 0 is defined over F p, and moreover that E 0 has a small degree endomorphism ι such that Tr(ι) = Tr(ιπ p ) = 0. This is the case for example if j(e 0 ) = 728. Currently the attack applies only to our optimal degree variant. For well-chosen values of N 2 larger than N 4 the attack recovers the secret key G in polynomial time. The second attack only requires that E 0 has a small degree endomorphism, but on the other hand it needs log N 2 = O(log 2 N ) to recover the secret key G in polynomial time. This attack deviates from the basic strategy explained above and it instead uses some recursive step. We provide a heuristic analysis and some experimental support for this attack for both the unbalanced and the optimal degree variants. Both attacks are heuristic, as their analysis makes unproven assumptions on factorization properties of certain numbers. We leave a better analysis, further variants and improvements to further work. 4.3 Recovering φ from ker(φ θ ˆφ ) In the strategy outlined above we need to recover φ from ker(φ θ ˆφ ). Here we give a method to do this and we show that the method is efficient. For simplicity we assume without loss of generality that deg θ is coprime with N. Let G := ker(φ θ ˆφ ) E [N ]. Clearly ker ˆφ is a cyclic subgroup of order N in G. When G is cyclic this immediately gives ker ˆφ. When G is not cyclic, let M N be the largest integer such that E [M] G. The isogeny φ : E 0 E can be decomposed as an isogeny φ M of degree M from E 0 to a curve E M, and a second isogeny of degree N /M from E M to E. We denote by φ N/M the dual of this second isogeny, namely φ N/M : E E M and φ = ˆφ N/M φ M. This is represented in the picture below: 3

14 φ M φ N/M E E 0. M E φ Clearly, recovering φ M and φ N/M, or equivalently their kernels, is sufficient to recover φ. The second isogeny φ N/M is the easiest one to recover: ( Lemma 4. We have ker φ N/M = M ker(φ θ ˆφ ) ) E [N ]. PROOF: Clearly ker φ N/M = M ker ˆφ (. The later is a cyclic subgroup of M ker(φ θ ˆφ ) ) E [N ] ( of order N /M. By our definition of M, the group M ker(φ θ ˆφ ) ) E [N ] is cyclic, hence equal to M ker ˆφ as well. We now focus on φ M, and we first identify a property that its kernel must satisfy: Lemma 5. We have θ(ker φ M ) = ker φ M. PROOF: Equivalently, we want to prove θ (ker φ M ) = ker φ M. We have ker φ M = ker φ E 0 [M] = ˆφ (E [M]) and similarly θ (ker φ M ) = θ (ker φ ) E 0 [M] = ker(φ θ) E 0 [M], so we can rephrase the lemma as ˆφ (E [M]) = ker(φ θ) E 0 [M]. Since ˆφ (E [N ]) is cyclic, so is ˆφ (E [M]). Therefore E [M] ker(φ θ ˆφ ) E [M] if and only if ˆφ (E [M]) ker φ θ. By the definition of M we have E [M] ker(φ θ ˆφ ) E [M] so ˆφ (E [M]) ker φ θ. Moreover M is the largest such integer and ˆφ (E [M]) is cyclic, so the equality holds. As we know the endomorphism θ, we can evaluate its action on the M torsion and identify potential candidates for ker φ M. Lemma 6. Let k be the number of distinct prime factors of M. Then there are at most 2 k cyclic subgroups H of order M in E 0 [M] such that θ(h) = H. PROOF: Let {P, Q} be a basis for E 0 [M], and let α, β be integers such that ker φ M = αp + βq. We have gcd(α, β, M) =. The action of θ on E 0 [M] can be described by a matrix m = ( ) a b c d GL(2, ZM ) such that θ(p ) = ap + bq and θ(q) = cp + dq. Moreover we have det(m) = ad bc = deg θ mod M and Tr(m) = a + d = Tr(θ) mod M. The condition θ(ker φ M ) = ker φ M from Lemma 5 now becomes αp + βq = (aα + cβ)p + (bα + dβ)q or equivalently or (aα + cβ)β = (bα + dβ)α mod M, cβ 2 + (a d)αβ bα 2 = 0 mod M. 4

15 The latest has solutions if and only the discriminant (a d) 2 4bc = (Tr(θ)) 2 4 deg θ mod M is a quadratic residue, and this is the case by assumption. Clearly there are at most two solutions modulo any prime l M, and by Hensel s lifting lemma a solution modulo a prime l M determines a unique solution modulo any power of l dividing M. We remark that when N is smooth, our proof implicitly provides an efficient algorithm to identify all the candidate kernels. When N is a prime power then k is at most one, and we we are done. Our last lemma shows that for powersmooth numbers, the expected value of k is small enough to allow a polynomial time exhaustive search of all candidate kernels. Lemma 7. Let N be a powersmooth number. Assume φ be chosen uniformly at random among all isogenies of degree N from E 0. Then the expected value of k is bounded by 2 log log N. PROOF: Clearly the number of distinct prime factors of N is smaller than log 2 N. In the proof of the previous lemma we showed that for every prime l dividing M N, there are at most two candidate cyclic subgroups H l such that θ(h l ) = H l. We can therefore bound the expected value of k by E[k] l N,l prime l log N 2 l + < 2 log N l 2 l log N l 2 log log N. 4.4 Attack when E 0 is special In this section we focus on the optimal degree variant of the protocol. We assume E 0 is defined over F p, so that End(E 0 ) contains the Frobenius endomorphism π p : (x, y) (x p, y p ). Moreover we assume End(E 0 ) contains some non scalar element ι with small norm q such that Tr(ι) = Tr(ιπ p ) = 0. (Maximal orders with minimal such ι were called special in [3].) Then clearly the attacker knows π p and they can efficiently compute ι by testing all isogenies of small degree. We consider an endomorphism of E defined by φ = φ (aιπ p + bπ p + cι) ˆφ + d, with degree deg φ = N 2 pqa 2 + N 2 pb 2 + N 2 qc 2 + d 2. 5

16 Remark. There is no gain of generality in allowing scalar components in R 0 : indeed φ Z ˆφ = N Z R. Similarly as before, our goal is now to find tuples of integers (a, b, c, d) such that deg φ = N N 2 and N is small. We first discuss some elementary properties of the solutions. Lemma 8. Let (a, b, c, d) defining φ as above, with deg φ = N N 2 for some N. Then N N 2 is a square modulo N 2 ; except for exceptional parameters, N N 2 is not much smaller than N 4 ; except for exceptional parameters, N is not much smaller than p. PROOF: We have d 2 = N N 2 mod N 2. For any N this defines d modulo N 2 up to sign, hence except for exceptional parameters d 2 will not be much smaller than N 4. We then have pqa 2 + pb 2 + qc 2 = N N 2 d 2 N 2, and the value of c is defined modulo p up to sign (assuming such a value exists). Except for exceptional parameters c 2 will not be much smaller than p 2, hence N will not be much smaller than p. N 2 Parameter restriction. Recall that in this section we focus on the optimal degree variant, hence N and N 2 are powersmooth numbers. From now on, we assume that N > p, that N 2 N 4 and that N 2 is a square modulo N 2. This ensures that all the conditions identified in Lemma 8 are satisfied provided N is a square modulo N 2. Note that we can always ensure that a powersmooth number N 2 is also a square modulo N 2 by dividing and/or multiplying it by a well-chosen small prime. In the first case we will have to work with a slightly smaller N 2 value in our attack, and in the second case we will have to perform some small guess on the images of the full N 2 torsion. Algorithm. We now describe an algorithm that computes a tuple (a, b, c, d) that can be used in our attack. We first attempt to find a solution with N =, and when this fails we successively increase N to the next square. For a given N, the value of d is determined modulo N 2 up to the sign. We try possible values of d until we find one such that q N N2 d2 is a square modulo p. At this point we try random values for c N 2 satisfying the congruence condition, until the equation a 2 q + b 2 = N N 2 d 2 pc 2 pn 2 has a solution, which we compute with Cornacchia s algorithm. This algorithm is detailed below in Algorithm 2. The complexity of this algorithm is analyzed in the following lemma. 6

17 Algorithm 2 Finding attack parameters when E 0 is special Require: N, N 2, q as above. Ensure: Parameters (a, b, c, d) and N for an attack. : i. 2: N i 2. 3: Let d such that 0 d N 2 and d 2 = N N 2 mod N 2. 4: m N N 2 d 2. N 2 5: if mq is not a square modulo p then 6: if d < N N 2 N 2 then 7: d d + N 2. 8: go to Step 4. 9: else 0: i i +. : go to Step 2. 2: Let ĉ such that 0 ĉ < p and qĉ 2 = m mod p. 3: Let r be a random integer in [0, m/p]. 4: c ĉ + rp. 5: n N N 2 d 2 c 2 N 2 q. N 2p 6: if n has an easy factorization (for example if n is prime) then 7: Solve equation a 2 q + b 2 = n with Cornacchia s algorithm 8: if there is no solution then 9: go to Step 3. 20: return (a, b, c, d, N ). Lemma 9. Let all parameters be restricted as above. Under plausible heuristic assumptions Algorithm 2 terminates in polynomial time. PROOF: Computing quadratic residues (Step 5), modular square roots (Steps 3 and 2) and Cornacchia s algorithm (Step 7) all run in polynomial time. Heuristically, the quadratic residuosity condition in Step 5 will be satisfied for every other value of d, so the algorithm will reach Step 2 with a very small value of N. Consequently in Step 4 we expect m = N N2 d2 N 2 m/p N 2 /p > p. In Step 5 we expect n = N N2 d2 c 2 N 2 q N 2 p N 2 and in Step 3 we expect N N2 N 2 p N N 2 p > N p p. As long as log N = O(log p), the expected number of random trials on c until n is prime is therefore log n O(log p). Moreover by Dirichlet s density theorem the density of primes represented by the norm form a 2 q + b 2 is /2H(q) > q/2 where H(q) < q is the class number of Q[ q]. Finally under the Generalized Riemann Hypothesis we have q = O((log p) 2 ) []. This shows that a polynomial number (in the security parameter λ) of values r must be tested in Step 3 until a suitable one is found. Since the expected size of m/p is bigger than p, the algorithm is expected to terminate in polynomial time with a solution. We deduce the following: 7

18 Proposition 2. Let N and N 2 be powersmooth numbers as in our optimal degree variant of Jao-De Feo s protocol. Assume moreover that N > p, that N 2 N 4 and that N 2 is a square modulo N 2. Then under plausible heuristic assumptions Problem 3 can be solved in polynomial time when the initial curve E 0 has j invariant j = 728, or more generally when the curve is special in the sense of [3]. Remark. In the original and unbalanced variants of the protocol we have N N 2 < p so N > N 2 p/n 2 > N, unless a = b = 0. In the next section we provide an attack that works in this setting. 4.5 Attack when R 0 = Z + θz (with deg θ small) and R = Z An algorithm to recover φ using only the scalar multiplications of E and the image of φ on the N 2 torsion was described in Section 3.3. However this in combination with our basic strategy above does not a priori provide any speedup on the straighforward meet-in-the-middle approach. Indeed we have deg φ = N 2 deg θ N 2 in the most favorable case (when deg θ = ) so by the analysis of Section 3.3 we expect to have at best N D deg φ N. We therefore modify the basic strategy. Modified Strategy. We adapt the techniques of Section 3.3 to reduce Problem 3 to another instance of itself with smaller parameters N < N /2 and N 2 some factor of N 2. After repeating this reduction step O(log N ) times we end up with an instance of Problem 3 where N is sufficiently small that it can be solved in polynomial time with a meet-in-the-middle approach. Parameter Restriction. We will require that End(E 0 ) has some non scalar element θ of small degree (which does not need to be explicitly given, as it can then be computed efficiently by trying all isogenies of this degree). This is for example the case in Costello et al. s implementation [4] where j = 728. In our reduction we will also require N 2 /N 2 > 2N θ where θ = deg θ 4 Tr2 θ. This implies that we will need to start with parameters such that log N 2 is at least O(log 2 N ). Note that in the original De Feo-Jao-Plût protocols we had N N 2. Reduction Step. We fix some θ End(E 0 ) with small norm q, and let D θ := deg θ 4 Tr2 θ. Then we choose some factor Ñ2 of N 2 such that Ñ2 > KN q for some K >, and D θ is a square modulo Ñ2. We proceed as in Section 3.3 to compute a, b and N such that deg(aφ θ ˆφ + b) = N Ñ2 and N is as small as possible. Namely, we choose τ such that τ 2 = D θ mod Ñ2, then we compute a short vector in a twodimensional lattice generated by two vectors (Ñ2, 0) and (τ, ) with a weighted norm (x, y) = (x 2 + D θ y 2 ) /2, and we deduce a, b and N. If N > N /2 we start again with a new square root of D θ modulo Ñ2, or with a new Ñ2 value. If N < N /2 we define φ N, φñ2 two (still unknown) isogenies of degrees N and Ñ 2 such that aφ θ ˆφ + b = φ N φñ2. We evaluate aφ θ ˆφ + b on the Ñ2 torsion to identify the Ñ2 part of the kernel of aφ θ ˆφ + b, then the corresponding isogeny. We evaluate this isogeny on the N 2 = N 2 /Ñ2 torsion, and deduce the action of φ N on the 8

19 N 2 torsion. We then apply the reduction step recursively to compute some representation of φ N. Finally, we evaluate (φ N φñ2 b)/a on the N torsion to identify ker ˆφ, and from there we compute a more canonical expression for φ. Complexity analysis. Our reduction procedure implicitly relies on the following informal assumption: Assumption Let K > be a small constant, and suppose that D θ is small. The probability that a random powersmooth value Ñ2 > KN q leads to N < N /2 is large. Note that following the analysis of Lemma 2 we expect to find N of size at most N Dθ. Assumption tells that with some probability on the choice of Ñ2, we can find a value N smaller than this bound by at least a (small) factor 2 D θ. This assumption seems very plausible. Using lattice terminology, the expectation on N comes from the well-known Gaussian heuristic, and Assumption tells that the proportion of lattices with small deviations from this heuristic is significant. In continued fraction terminology, Assumption considers the proportion of values Ñ2 such that some rational fraction approximation of τ/n is a little bit better than what is guaranteed by the bounds, and tells that this proportion is significant. Finally, Assumption receives further support from our experiments described below. We deduce the following result: Proposition 3. Let N and N 2 be coprime smooth numbers, with log N 2 = O(log 2 N ). Then under plausible heuristic assumptions Problem 3 can be solved in polynomial time when the initial curve E 0 has a small degree endomorphism. PROOF: All subroutines in our reduction procedure require at most polynomial time, and under Assumption these steps will only be executed a polynomial number of times. Remark. Suppose p = 3 mod 4 and suppose j 0 = 728 as in Costello et al. s implementation [4]. In this case there exists a non scalar endomorphism ι End(E 0 ) with norm and trace 0. Any θ End(E 0 ) must either have a large norm or be of the form θ = aι + b for two small a, b Z. In the last case we then have θ = a 2, so θ is a square modulo some prime r if and only if is a square modulo r. This implies that no prime factor r of N 2 with r = 3 mod 4 can be used in our attack. On the other hand, any prime factors with r = mod 4 can be used in the attack. Experiments for the optimal degree variant. We wrote a small Magma program [23] to compute the successive pairs of parameters (a, b) to use in our attack, and test the heuristic assumptions involved in our analysis (the code is available in the eprint version of this paper [5]). In our experiments we generate random p values, choose N powersmooth and then search for a coprime Ñ2 > 2qN leading to N < N /2q. We repeat this recursively until N is small enough (smaller than some polylog bound in 9

20 p). We used K = 2 in these experiments. For 80-bit security parameters our program gives the parameters of an attack in a few seconds. The full attack requires isogenies of degree at most about Experiments for the unbalanced variant. We also ran attack experiments for the unbalanced protocol variant. In all experiments we took l = 2 and l 2 = 5. We considered values of e between 20 and 00, and we searched for the minimal value of e 2 such that the attack could reduce N to a value smaller than 00. Table provides some successful attack parameters. In addition to e and e 2 it shows the value e2 log 2 5 (which e 2 seems close to a constant /2, as expected), the value K used for these parameters, and the number of reduction steps used. Our Magma code is provided in the eprint version of this paper [5]. Table. Some successful attack parameters against the unbalanced variant (l = 2 and l 2 = 5) e e e2 log K # steps e Remark. The parameter K must be larger than in our attack as N > N 2 q/ñ2 for any a 0. We experimentally observed that K = 2 was sufficient in the optimal degree variant to make N decrease by a factor 2 at each reduction step. The unbalanced variant leaves less flexibility in the parameter choice, so we did not impose a factor 2 decrease on N (and in fact we even allowed it to increase in some reduction steps). We observed that lower values of K were then sufficient. We have also observed experimentally that the value of K has some moderate impact on the overall performances of the attack (required size for N 2, number of reduction steps). We leave a thorough investigation of optimal parameter choices for our attack to further work. Remark. When N 2 is too small to execute O(log N ) reduction steps, then we may replace the missing last reduction steps by a final meet-in-the-middle strategy. Depending on the final size of N and on its largest prime factor this may still provide some exponential speedup over the basic meet-in-the-middle strategy. We note, however, that for the original parameters proposed by Jao and De Feo, at most one recursive step can be performed. In this case it might be possible to find some (exceptional) set of parameters that would improve the best attack by a few bits, but for most parameters we do not expect any savings. 20